Finding the Details If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the en
Finding the Details
“If you know the enemy and know yourself, you need not fear the result
of a hundred battles.
If you know yourself but not the enemy, for every victory gained you
will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every
battle.” – Sun Tzu
In this week’s assignment you will be taking part in building out an
actor centric targeting plan making use of the intelligence cycle and
intelligence gathering techniques. You will be focusing your work on
collecting information on LulzSec, make use of the information from
the provided resources and your own research to build out the
targeting by using the knowledge of details such as its formation, its
members, its collapse, its attacks, etc..
Actor Centric TargetingFinding the DetailsCyber IntelligenceWeek 2“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu
|
Page 1 |
Actor Centric TargetingFinding the Details |
In this week’s lab you will be taking part in building out an actor centric targeting plan making use of the intelligence cycle and intelligence gathering techniques. You will be focusing your work on collecting information on LulzSec use information from the provided resources and your own research to build out the targeting by using the knowledge of details such as its formation, its members, its collapse, its attacks, etc.. |
01Identify Your Adversary02Identify Known Internal Information03Identify Known External Information04Identify Strategic Intelligence05Identify Tactical Intelligence06Collate Information into the Pyramid of Pain07Collate Information into the Kill Chain08Transform the Intelligence into a Workable Report |
Start Finding The DetailsYou will want to begin building your repository of information on LulzSec. You will make use of the two documents provided as well as information you go out and collect on your own. Section 1 – Raw Known DataFor this portion of the lab, I want a list of all the data you collected during your work, this is known internal and external information. Section 1.5 – Identify Strategic and Tactical IntelligenceFor this portion of the lab, I want a breakdown of the known data into what is key strategic and tactical intelligence. You will combine this with Section 1 data using appropriate tags with your data. I.e. *TACTICAL* or *STRATEGIC*Section 1.75 – Identify the Reliability and Credibility of the IntelligenceFor this portion of the lab, I want you to rate the reliability and the validity of the intelligence collected. You will combine this with Section 1 data using appropriate tags with your data. Example: IntelligenceStrategic/TacticalReliabilityCredibilitySection 2 – Present the Pyramid of PainFor this portion of the lab, you will lay out the pertinent intelligence collected into the appropriate layers of the Pyramid. Section 3 – Present the Kill ChainFor this portion of the lab, I want you to build out a Kill Chain using the collected information. See the GLASS WIZARD Kill Chain example in your book. Section 4 – Collate and Organize Your Intelligence into a SummaryFor this portion of the lab, I want you to present a summary of the key intelligence that can be used by your organization to prepare for a theoretical upcoming attack from LulzSec. |
Page 2 |
,
Issues in Information Systems Volume 13, Issue 1, pp. 133-143, 2012
133
HACKERS GONE WILD: THE 2011 SPRING BREAK OF LULZSEC
Stan Pendergrass, Robert Morris University, [email protected]
ABSTRACT Computer hackers, like the group known as Anonymous, have made themselves more and more relevant to our modern life. As we create and expand more and more data within our interconnected electronic universe, the threat that they bring to its fragile structure grows as well. However Anonymous is not the only group of hackers/activists or hacktivists that have made their presence known. LulzSec was a group that wreaked havoc with information systems in 2011. This will be a case study examination of their activities so that a better understanding of five aspects can be obtained: the Timeline of activities, the Targets of attack, the Tactics the group used, the makeup of the Team and a category which will be referred to as The Twist for reasons which will be made clear at the end of the paper. Keywords: LulzSec, Hackers, Security, AntiSec, Anonymous, Sabu
INTRODUCTION Information systems lie at the heart of our modern existence. We deal with them when we work, when we play and when we relax; texting, checking email, posting on Facebook, Tweeting, gaming, conducting e-commerce and e- banking have become so commonplace as to be nearly invisible in modern life. Yet, within each of these electronic interactions lies the danger that the perceived line of security and privacy might be breached and our most important information and secrets might be revealed and exploited. Sometimes this fear is based on an imagined vulnerability inherent within the system itself or it could be based on a fear that individuals will somehow actively exploit those vulnerabilities for their own unknown purposes. Those individuals have over the years become known as “hackers.” While the term hackers can be used to designate any number of individuals or groups with any number of purposes or connections, as of late, it has been used more and more to define one internet-based group known as “Anonymous.” They have organized and participated in Distributed Denial of Service (DDoS) attacks, rendering websites temporarily unavailable and unusable, hurting companies through lost potential revenue and increased security expenses. They have organized and participated in electronic and physical protests and operations which have run the gamut from serious political statements to harmless fun. But Anonymous is not the only group of hackers in cyber space. Other groups have reared up and come into the spotlight. In the Spring and Summer of 2011, one group was particularly active and eclipsed Anonymous for a time. This group called itself LulzSec, a portmanteau of Lulz (the plural of the acronym for “Laughing Out Loud” or lol) and Security and announced they were in the business of stealing information and distributing it to the world, “for the lulz of it.” For eight weeks that year, they taunted law enforcement authorities, hacked into multi-billion dollar corporations, federal agencies, internet security firms and government institutions and brazenly posted their ill- gotten goods for the all the world to see. Then, they suddenly announced their retirement and were gone, just as quickly as they had appeared. However their story did not end when they supposedly retired. That story is playing out even today, in ways that were almost unbelievable. This paper will look at the activities of LulzSec and describe the events of this recent hacker group and the ways it operated, so that the complete story might be better understood.
RESEARCH METHODOLOGY This study involved no participants per se, in that there were no direct interviews with people who might claim to be a part of LulzSec or claim to know someone who is or was in the group. There is almost no way to verify those claims and those who are or were in the group are most likely not going to admit it pending legal action or indictment. Therefore, all information was taken from secondary data collection.
Issues in Information Systems Volume 13, Issue 1, pp. 133-143, 2012
134
Data was collected from a variety of secondary sources using a variety of means. There has not been a lot of detailed academic research devoted to the actual group, most likely because it is so contemporary. Most of the information came from news sources who reported on LulzSec’s activities. This formed the bulk of the data collected. Additional electronic sources of material were also used which included hacker blogs, twitter accounts, web pages, posted information and announcement in Pastebin and file sharing sites. Media taken from sources other than the internet were also used; newspapers, magazines, radio and television broadcasts, and documentaries. Official government reports, announcements and documents were included as well as legal indictments which have been unsealed and released to the public. In order to condense such a huge amount of information and turn it into a coherent, concise story, the case study method of research was the model. Yin [30] described two criteria for using this method of study. First, a case study methodology is useful in order to understand a real-life phenomenon in depth, and secondly, a case study copes with a technically distinctive situation where there are many more variables of interest than data points and multiple sources of evidence [30]. This case study looked at a wide variety of secondary data collected from a variety of sources to try and determine an overall understanding of several aspects of LulzSec. Yin [30] described several analytical strategies which can be used to analyze the collected data. This study created a descriptive framework for organization and analysis. This strategy is useful when a lot of data has been collected without having settled on an initial set of research questions or propositions [30]. Yin’s example of the organizational model of the Middletown sociological study [20] could be considered relevant and therefore was adapted for this study. LulzSec’s activities were grouped into five categories for analysis: the “Timeline” of activities, the “Targets” of attack, the “Tactics” the group used, the makeup of the “Team” and a category which will be referred to as “The Twist” for reasons which will be made clear at the end of the paper.
RESULTS
Timeline Between 17 and 19 April, 2011, Sony’s PlayStation Network (PSN) and Qriocity Network were hacked and users’ personal data, to include usernames, credit card information, etc. had been compromised. [24] On 20 April, Sony completely shut down their networks but did not mention to the public the reason; that their network had been invaded. It would take another two days before that announcement would take place and even then Sony did not announce that personal information had been compromised. That announcement would take place on 26 April. On the first of May, bowing to public outrage over this public relations nightmare, Sony executives formally apologized and said they expected full service to be up by mid-May [24]. They blamed Anonymous for the hack however persons who claimed to be part of Anonymous denied having any involvement. If that were true, then perhaps there was some new agent on the hacking scene. That realization would be made clear within the week. On the 7th of May, an announcement from a new group was released; they called themselves “LulzSec.” LulzSec announced that unlike Anonymous’ reasoned and determined hacks and attacks, they were only in it “for the lulz of it” [9]. Their first announcement stated:
Hello, good day, and how are you? Splendid! We're LulzSec, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun. Considering fun is now restricted to Friday, where we look forward to the weekend, weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calender [sic] year. As an introduction, please find below the X-Factor 2011 contestants' contact information. Expect more to come, and if you're like us and like seeing other people get mad, check out our Twitter! http://twitter.com/LulzSec. [14]
Issues in Information Systems Volume 13, Issue 1, pp. 133-143, 2012
135
Their method of dissemination was quick, simple and seemingly untraceable. Tweets on the Twitter page they established contained links to unattributed Pastebin announcements which often contained http addresses of Pirate Bay postings where files of hacked information could be downloaded by anyone. On 10 May, LulzSec announced their hack of Fox.com and posted links to files containing inner-working and sales database information along with a list of sales department’s emails and passwords [9]. LulzSec urged their followers to try and use the emails and passwords to log into Facebook, MySpace and PayPal accounts to see what further damage could be caused. On 15 May a hack of U. K. ATM machine data was released [9]. In their announcement LulzSec confessed that while there appeared to be little profitable information in the data, perhaps someone could find it useful in some way. Included in their hack release were altered lyrics set to the theme song from the 1970’s television series The Love Boat which also included an ASCII representation of a Viking boat which they christened The Lulz Boat.
Figure 1. ASCII Art representation of the LulzBoat on May 15, 2011 PasteBin Press Release
The 23rd of May brought a release of data from Sonymusic.co.jp databases; nothing particularly useful but still another hack of a Sony website [9]. On the 24th of May, PBS ran a Frontline Series documentary titled WikiSecrets and focused on PFC Bradley Manning, the American soldier accused of leaking classified information and documents on the war to the whistleblower website WikiLeaks. In retaliation for what they claimed was a biased and unflattering portrait of Manning and WikiLeaks founder, Julian Assange, on 30 May, LulzSec hacked into and defaced the PBS.org website by posting a fake news story on the site which stated that rappers Tupac Shakur and Biggie Smalls, were not deceased but were alive and well and living in an unnamed small town in New Zealand [7, 9].
Issues in Information Systems Volume 13, Issue 1, pp. 133-143, 2012
136
Figure 2. Hacked PBS.org Website article stating Tupac Shakur is living in New Zealand
Figure 3. ASCII Art Press Release Banner on May 30, 2011 PasteBin Press Release
On 2 June, LulzSec released data from their latest hack which they labeled Sownage, for Sony + Ownage. LulzSec said it was able to gain passwords, e-mail addresses, home addresses, birthdates, and all Sony opt-in data associated with users' accounts from some one million users of SonyPictures.com [9]. Some of the exposed personal information also included home telephone numbers which was confirmed by the Associated Press. None of the users’ IDs and passwords were encrypted by Sony; this, still after the other numerous hacks months before! Information from the databases of Sony BMG Belgium and the Netherlands were also included as well as a varied assortment of Sony user and staffer information [9, 22]. Purportedly in response to a White House announcement that an act of cyber sabotage on the United States by another country could be considered an act of war [11], LulzSec defaced the website and released email, username
Issues in Information Systems Volume 13, Issue 1, pp. 133-143, 2012
137
and password information of a company that does business with the FBI; Infragard, specifically the Atlanta office. They also obtained personal and company email of one of Infraguard’s employees, a Mr. Karim Hijazi, as he had also established a company, Unveillance, which specializes in data breaches and botnet detection. After LulzSec contacted Mr. Hijazi to inform him of the breach, he offered to hire LulzSec hackers to attack his competitors. LulzSec posted the web chat records in their release to mock and embarrass him. Sownage 2 was announced on 6 June when 54MB of SVN Sony developer code as well as internal network maps of Sony BMG were displayed. Four days after that a collection of 26,000 user email addresses and passwords to a pornography website, pron.com were released. LulzSec specifically pointed out, by highlighting them at the top of the list, addresses from 6 users who used their government computers’ address as account information and 55 admin/webmasters of other porn sites [9]. On 13 June, two announcements were released for two separate hacks. Senate.gov server information and Bethesda Softworks, ZeniMax Media and Brink internal data were displayed. In an unusual twist, LulzSec reported that they would not release information they claimed they had on over 200,000 Brink users because they actually liked the game and wanted Bethesda to speed up development work on the next installment of their video game series, The Elder Scrolls V: Skyrim. On the 15th of June, LulzSec set up a telephone line with an answering machine and tweeted a solicitation for suggestions as to whom they should go after next [27]. That same day, the CIA was the focus of a Denial of Service (DoS) attack. The CIA’s public web site was briefly down however it came back online fairly quickly [9, 21, 28]. LulzSec apparently went to war with Anonymous on 16 June. It began when LulzSec called for a “DDoS party” on a variety of websites and game servers popular with videogamers, including that of EVE Online, League of Legends and Minecraft; all the websites suffered outages or slow downs. Those who frequented 4Chan’s /v/ board for video games enthusiasts caught wind of the attacks and called for an attack on LulzSec. Then LulzSec tweeted a link to 4Chan’s /b/ board to slow it down and also released 62,000 random logins in return for flooding /b/ [8, 9]. The next day, LulzSec celebrated their 1000th Tweet with a sort of manifesto to their friends and foes reiterating that they were in the hacking game purely for the fun of all the confusion and consternation they create. Two days later, three days after their attack on Anonymous, on 19 June, LulzSec announced the start of Operation AntiSec. AntiSec stood for Anti-Security, was to be an ongoing operation where both LulzSec and Anonymous would team up to steal and leak any classified government information they could get their hands on. Prime targets were announced to be banks and other high-ranking establishments [1, 9]. Anonymous amazingly confirmed this by tweeting through their Tweet account AnonOps, “We are not at war [with LulzSec]. We are bros of teh internetz [sic]” [4]. However, LulzSec’s fortunes were apparently starting to change. All this mischief was not going unnoticed by the authorities. On the 21st of June, Ryan Cleary, a 19 year old U. K. hacker, also known as ViraL [9, 26] was arrested by U. K. police and charged with violating the country's computer fraud laws for participating in cyber attacks on various British organizations [2]. LulzSec tried to distance themselves from him claiming he was “at best, only mildly associated” with them. They claimed that his only involvement was allowing LulzSec to use his servers. On 23 June, LulzSec released what they called their “Chinga La Migra Bulletin #1 6/23/2011” [18]. With it, they released hundreds of private intelligence bulletins, training manuals, personal email correspondence, names, phone numbers, addresses and passwords belonging to Arizona law enforcement officials. They claimed to target Arizona law enforcement to protest Arizona Senate Bill 1070 which was a controversial strict anti-illegal immigration bill. The Bulletin further announced that they would be releasing more and more classified documents each week in a demonstration against governments, corporations, police and militaries around the world [18]. Just two days later, 50 days since LulzSec began making announcements and taking credit for releases of massive amounts of information, they suddenly announced their retirement as a hacking group. The last official document reiterated their manifesto ideals, professed continued support of Operation AntiSec and ended with links to hacked
Issues in Information Systems Volume 13, Issue 1, pp. 133-143, 2012
138
information on their website and Pirate Bay. After that, LulzSec disappeared just as suddenly as it had appeared. Their two months of terror, fun and chaos had ended. The retirement announcement ended with the following:
So [ ] it's time to say bon voyage. Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere. Thank you for sailing with us. The breeze is fresh and the sun is setting, so now we head for the horizon. Let it flow… Lulz Security – our crew of six wishes you a happy 2011, and a shout-out to all of our battlefleet members and supporters across the globe. [19]
Targets When examined over the timeline of their attacks, LulzSec’s victims would seem to have little in common with one another, however, if one looks at the types of websites were attacked, distinct patterns emerge. Websites fall into two distinct divisions, either Government or Media websites. Those can be further divided into related sub- categories. Government can be grouped into Federal (i.e., Senate, FBI, Infraguard, CIA) or State (Arizona law enforcement). Media can be grouped into News (Fox, PBS) and Entertainment, (Fox, Sony, PBS, pron.com, Bethesda Softworks, ZeniMax Media, Brink, EVE Online, League of Legends and Minecraft). There was also the attack on 4Chan /b/ board however that was only because Anonymous members were attacking LulzSec at the time for the DoS to online gaming websites and did not appear to be forethought actions. Tools LulzSec’s greatest tool was their attack. Two methods of attacks were used. The first and most extensively used was Structured Query Language (SQL) code injections into websites. When successful, it would allow LulzSec access to website internal information such as system files, content and the most valuable content, users’ identification data. This type of attack was where LulzSec’s had its greatest successes. Nearly all of their influence was as a result of leaked data and information they were able to obtain from hacked websites and databases. The second method was through DDoS attacks however they rarely used this. DDoS attacks require either a large number of participants or continued use of special software which repeatedly bombards websites until the shut down. Once they had SQL injection-obtained data, there were a number of social media, utility and file sharing sites they used to announce, store and thus disseminate the data. For instance, Twitter (@LulzSec) was used to make public announcements of activities, actions, success, and to convey whatever up-to-the-minute information LulzSec wanted to convey. Some Twitter feeds would have attachments which linked to PasteBin posts which could lead to their more formal and lengthy press releases. Those releases were often more than Twitter’s limit of 140 characters so PasteBin was used. LulzSec was also fond of including ASCII art in the header and body of the release. Press releases and Twitter Tweets often included addresses to links on the file sharing site Pirate Bay which often in turn contained torrent files with the stolen data. This way, as long as Pirate Bay hosted the link, anyone could access and download the data files. Internet Relay Chat (IRC) Channels were used for active and prolonged conversations within the group [10]. LulzSec even solicited BitCoin electronic cash donations to fund their continued activities [17].
Issues in Information Systems Volume 13, Issue 1, pp. 133-143, 2012
139
Figure 4. LulzSec Twitter account logo
None of this could have been accomplished without another important tool, anonymity. In order to achieve continued anonymity, they had to use anonymity-guaranteeing software such as The Onion Router (TOR). TOR software was originally developed by the Navy to provide anonymity to users. Users access the TOR network by installing the free software package. By using the software, all content is passed between random guard, relay and exit node servers so that the user’s unique Internet Protocol (IP) address cannot be directly traced back to the original point of entry, i.e., their own computer. Anonymity allowed LulzSec to communicate, hack, post and taunt without law enforcement being able to detect where or even who they were. Of course this anonymity was only possible it one used the TOR software and network exclusively [25, 29]. Tactics The name the group chose for themselves, a portmanteau of Lulz and Security, could be considered telling in that it was an indication of both their motivation (lulz) and inclination (security). Their motivation was to randomly hit a wide variety of targets and post the stolen data for anyone to use. While in some cases they hinted at how it might be used [16], for the most part it was posted with no provided purpose other than for their own amusement to show the world what they did and that they could do it. These actions had a direct and profound effect on perceived internet security, their inclination. Taken in a broader context, it was the security of the system itself which was affected, not necessarily security entities themselves. For instance, while they did attack some websites belonging to entities whose actual purpose was security (Infraguard, FBI, CIA, Arizona Law Enforcement), they also went after entities that had nothing to do with security per se (Sony, PBS, Fox News, Bethesda Softworks). But in the end, all of those sites as well as sites which had nothing to do with LulzSec attacks, were stained with the hackers’ brush. Those effects continue to linger on through to today. The lulz showed through in a variety of ways. For instance, their press releases and tweets were often very funny and clever. Their second announcement ended with the below divider before the hacked Fox.com emails and password information.
————————————————————————————— ————————————————————————————— –Raped material goes below the shiny dashes oh god they’re so shiny– ————————————————————————————— ————————————————————————————— [15]
There was a taunting aspect to everything they did. Press releases often dared the authorities to come after them. It was a braggadocio attitude that undoubtedly infuriated those who were trying to track them down, not only law enforcement agencies but other white hat and black hat hackers who were working to expose them as well.
Issues in Information Systems Volume 13, Issue 1, pp. 133-143, 2012
140
Team LulzSec has always maintained that they were a small team of hackers. Their initial press release announced that they were “a small team of lulzy individuals”. Their final press release at the end of the 50 days of LulzSec mentioned that they were a “crew of six” [19]. Given the timing of the hacks, some coming days after the previous one, the type of attacks conducted, on individual and specific websites and limited use of DDoS barrages, the conclusion is that the group was indeed, small, fast, agile and closely knit. Anonymous’ method of getting the hive mind to come to a moral cause to attend to, getting legions of individuals to commit to a coordinated and persistent action, requires a lot of participants. LulzSec on the other hand, moved quickly and stealthily and announced what they had done for the most part after the fact, not before. This would seem to support the conclusion that LulzSec was indeed a small team of closely knit hackers. The Twist After the arrest of LulzSec member Ryan Cleary on the 21st of June and their sudden retirement on 25 June, 2011, LulzSec seemed to have faded back into the crowd as nothing was heard from the group after that. That is not to say that hacking died the day LulzSec packed up. There continued to be hacks of various websites, some of them were attributed to Anonymous [3] and some of them even waved the AntiSec banner, but nothing like what LulzSec had accomplish. The group just seemed to vanish. However, on 6 March, 2012, almost a year after LulzSec first popped up, an indictment filed in August in the United States District Court of Southern New York was unsealed. The indictment was against a Hector Xavier Monsegur, also known as Sabu, the avowed leader of LulzSec [12]. Inside, it detailed his hacks with a variety of hacker groups; first Anonymous, then with a group which called itself Internet Feds and finally with LulzSec. Seemingly coincidentally the same day the indictment was unsealed, four members of LulzSec and one member of Anonymous were also arrested by U.S. and U.K. law enforcement agents.
Ryan Ackroyd (AKA Kayla), 23, of Doncaster, United Kingdom, Jake Davis (AKA Topiary), 29, of Lerwick, Shetland Islands, Darren Martyn (AKA pwnsauce), 25, of Galway, Ireland, and Donncha O’Cearrbhail (AKA palladium), 19, of Birr, Ireland, were charged with various offences connected to LulzSec O’Cearrbhail was further charged in a separate case with intentionally disclosing an unlawfully intercepted wire communication – a conference call between law enforcement officers on both sides of the Atlantic discussing investigations against members of Anonymous that was leaked by the hacktivist collective last month. A fifth suspect – Jeremy Hammond (AKA Anarchaos), 27, of Chicago, Illinois – was arrested on access device fraud and hacking charges, and is suspected of involvement in the December Anonymous hack on security intelligence outfit Stratfor. [3, 13]
As it turns out, Sabu had been working for the FBI since 7 June as an informant of sorts. He was forced into this position after the authorites had arrested him and threatened him with jail time which would have placed his nieces into foster homes as he was their sole guardian while their mother was in prison. The FBI had earlier identified him as the likely head of the group after he made the mistake of failing to use the TOR Network every time he used his computer. “He logged into an Internet relay chatroom from his own IP address without masking it. All it took was once. The f
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.